tcpick looked from the inside

The starting function main is in the file tcpick.c. Command-line arguments are parsed by parse_args (args.c).

The packet capture engine is powered by the pcap library, that handles, with the function pcap_loop the callback loop function got_packet (loop.c).

When a packet has been captured by pcap_loop it will be calculated the offset of the ip header (ippacket), the offset of the tcp header (tcppacket). Finally the function verify (verify.c) will be called to analyze the packet.

Packet offset and size are declared globally (extern.h and globals.h) not to allocate the stack every time a function that works on the packet is called

The source code that contains the function verify begins with several #define's used to verify if a sniffed packet match an inizialized connection (or else if it creates a new one).

All connections tracked are stored in a linked list (i hope I will be able to replace it with an efficient balanced tree).

The struct host_descriptor_t describes one side of the tcp connection (the server or the client). The function verify detects the changes of the status of the tracked connection and update it with the function status_switch (tracker.c), that calls the function display_status to notify the user of this change and deletes the connection if it is CLOSED

When data are transmitted (IS_DATA_FLOW) the function established_packet (verify.c) is called. This function detects if the packet is an acknowledgment one or a data one. Unacknowledged data packets are stored in a linked-list by the function addfr (fragments.c). When data are acknowledged by a ack, the function flush_ack (fragments.c) is called.

In flush_ack acknowledged data are flushed to an output stream (display or file) by the function wrebuild (write.c).

The function out_flavour (write.c) is used to select the format of the data wished by the user.